@article{wassermann ,
language = {English},
copyright = {Compilation and indexing terms, Copyright 2008 Elsevier Inc.},
title = {The essence of command injection attacks in web applications},
journal = {ACM SIGPLAN Notices},
author = {Su, Zhendong and Wassermann, Gary},
volume = { 41},
number = { 1},
year = {2006},
pages = {372 - 382},
issn = {0362-1340},
address = {New York, NY 10036-5701, United States},
abstract = {Web applications typically interact with a back-end database to retrieve persistent data and then present the data to the user as dynamically generated output, such as HTML web pages. However, this interaction is commonly done through a low-level API by dynamically constructing query strings within a general-purpose programming language, such as Java. This low-level interaction is ad hoc because it does not take into account the structure of the output language. Accordingly, user inputs are treated as isolated lexical entities which, if not properly sanitized, can cause the web application to generate unintended output. This is called a command injection attack, which poses a serious threat to web application security. This paper presents the first formal definition of command injection attacks in the context of web applications, and gives a sound and complete algorithm for preventing them based on context-free grammars and compiler parsing techniques. Our key observation is that, for an attack to succeed, the input that gets propagated into the database query or the output document must change the intended syntactic structure of the query or document. Our definition and algorithm are general and apply to many forms of command injection attacks. We validate our approach with SQLCHECK, an implementation for the setting of SQL command injection attacks. We evaluated SQLCHECK on real-world web applications with systematically compiled real-world attack data as input. SQLCHECK produced no false positives or false negatives, incurred low run-time overhead, and applied straightforwardly to web applications written in different languages. Copyright &copy; 2006 ACM.},
key = {Computer crime},
keywords = {World Wide Web;Database systems;Information retrieval;Websites;Query languages;Computer programming languages;Context free grammars;},
note = {Command injection attacks;Web applications;Parsing;Runtime verification;},
URL = {http://dx.doi.org/10.1145/1111320.1111070},
} 

@article{ripem-160 ,
language = {English},
copyright = {Copyright 1996, IEE},
title = {The RIPEMD-160 cryptographic hash function},
journal = {Dr. Dobb's Journal},
journal = {Dr. Dobb's J. (USA)},
author = {Bosselaers, A. and Dobbertin, H. and Preneel, B.},
volume = { 22},
number = { 1},
year = {1997/01/},
pages = {24, 26, 28, 78, 80 - },
issn = {1044-789X},
address = {USA},
abstract = {Cryptographic hash functions are an essential building block for applications that require data integrity. The authors propose that the RIPEMD-160 hash function is a secure replacement for MD4 and MD5},
keywords = {C listings;cryptography;data integrity;file organisation;},
note = {RIPEMD-160 cryptographic hash function;data integrity;MD4;MD5;secure replacement;},
} 

@inproceedings{6748981 ,
language = {English},
copyright = {Copyright 2000, IEE},
title = {Architectural impact of secure socket layer on Internet servers},
journal = {Proceedings 2000 International Conference on Computer Design},
author = {Kant, K. and Iyer, R. and Mohapatra, P.},
year = {2000//},
pages = {7 - 14},
address = {Los Alamitos, CA, USA},
note = {secure socket layer;Internet servers;SSL;protocol;Internet;secure communications;performance;architectural impact;computational cost;},
URL = {http://dx.doi.org/10.1109/ICCD.2000.878263},
} 

@inproceedings{BDGD ,
language = {English},
title = {Building an Encrypted and Searchable Audit Log},
journal = {Proceedings of 11th Network and Distributed System Security Symposium 2004},
author = {Brent R. Waters and Dirk Balfanz and Glenn Durfee and D. K. Smetters},
year = {2004},
URL = {http://crypto.stanford.edu/~bwaters/publications/papers/audit_log.pdf},
}

@inproceedings{AJW ,
language = {English},
title = {Network Log Anonymization: Application of Crypto-PAn to Cisco Netflows},
journal = {Proceedings of the Workshop on Secure Knowledge Management 2004},
author = {Adam Slagell and Jun Wang and William Yurcik},
year = {2004},
URL = {http://www.slagell.name/Adam_Slagells_Research_Home/Old_Projects_files/slagell04c.pdf},
}

@MISC{AA,
author = {Alessandro Acquisti},
title = {Privacy and Security of Personal Information},
YEAR = 2004,
HOWPUBLISHED = "\url{http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.69.6360&rep=rep1&type=pdf}"
}

@article{password ,
language = {English},
copyright = {Copyright 2007, The Institution of Engineering and Technology},
title = {Improving password security and memorability to protect personal and organizational information},
journal = {International Journal of Human-Computer Studies},
author = {Vu, K.-P.L. and Proctor, R.W. and Bhargav-Spantzel, A. and Tai, B.-L. and Joshua Cook and Schultz, E.E.},
volume = { 65},
number = { 8},
year = {2007/08/},
pages = {744 - 57},
issn = {1071-5819},
address = {UK},
abstract = {Personal information and organizational information need to be protected, which requires that only authorized users gain access to the information. The most commonly used method for authenticating users who attempt to access such information is through the use of username-password combinations. However, this is a weak method of authentication because users tend to generate passwords that are easy to remember but also easy to crack. Proactive password checking, for which passwords must satisfy certain criteria, is one method for improving the security of user-generated passwords. The present study evaluated the time and number of attempts needed to generate unique passwords satisfying different restrictions for multiple accounts, as well as the login time and accuracy for recalling those passwords. Imposing password restrictions alone did not necessarily lead to more secure passwords. However, the use of a technique for which the first letter of each word of a sentence was used coupled with a requirement to insert a special character and digit yielded more secure passwords that were more memorable. [All rights reserved Elsevier].},
keywords = {authorisation;message authentication;},
note = {password security;password memorability;authentication;information access;information security;},
URL = {http://dx.doi.org/10.1016/j.ijhcs.2007.03.007},
} 

@article{smartcard,
title = "Smart card based authentication - any future?",
journal = "Computers \& Security",
volume = "24",
number = "3",
pages = "188 - 191",
year = "2005",
note = "",
issn = "0167-4048",
doi = "DOI: 10.1016/j.cose.2005.03.002",
url = "http://www.sciencedirect.com/science/article/B6V8G-4G4XBKK-1/2/c12ba99533cfde90a685e3bb62bf581f",
key = "tagkey2005188"
}


@article{pass-smart,
title = "Two-factor mutual authentication based on smart cards and passwords",
journal = "Journal of Computer and System Sciences",
volume = "74",
number = "7",
pages = "1160 - 1172",
year = "2008",
note = "",
issn = "0022-0000",
doi = "DOI: 10.1016/j.jcss.2008.04.002",
url = "http://www.sciencedirect.com/science/article/B6WJ0-4SHF4S3-1/2/52052cdbb7c7a149abbeebd8a2cd927d",
author = "Guomin Yang and Duncan S. Wong and Huaxiong Wang and Xiaotie Deng",
keywords = "Two-factor authentication",
keywords = "Password",
keywords = "Smart-card",
keywords = "Guessing attack",
keywords = "Dictionary attack"
}

@article{passEncr ,
language = {English},
copyright = {Copyright 1978, IEE},
title = {Easy entry: the password encryption problem},
journal = {Operating Systems Review},
journal = {Oper. Syst. Rev. (USA)},
author = {Gait, J.},
volume = { 12},
number = { 3},
year = {1978/07/},
pages = {54 - 60},
issn = {0163-5980},
address = {USA},
abstract = {The management of unencrypted password files is a headache for a computer centre. The files have a perverse way of being left lying around, and they are subject to malversation by disaffected systems personnel or by anyone with access to the system who is sufficiently clever to bypass or otherwise subvert the system file protection scheme. Encrypted password files present an entry point to a ciphertext-only attack on the algorithm unless the algorithm in use is sufficiently strong. Because of a natural penchant on the part of users to adopt mnemonic passwords, many password encryption schemes are vulnerable to attack by repeated trials, i.e., repeated attempts to log in using guessed passwords, which may enable a penetrator to easily gain initial entry. Following initial entry, a major threat is brute-force attacks, i.e., systematic testing of all possible passwords, for which the defense is a protected encrypted password file},
keywords = {protection;security of data;},
note = {password encryption problem;malversation;encrypted password file;},
URL = {http://dx.doi.org/10.1145/775396.775403},
} 


@book{pfleeger,
 author = {Pfleeger,, Charles P. and Pfleeger,, Shari Lawrence},
 title = {Security in Computing},
 year = {2002},
 isbn = {0130355488},
 publisher = {Prentice Hall Professional Technical Reference},
}


@book{kuroseross,
 author = {Kurose,, James F. and Ross,, Keith W.},
 title = {Computer Networking: A Top-Down Approach (4th Edition)},
 year = {2007},
 isbn = {0321497708},
 publisher = {Addison-Wesley Longman Publishing Co., Inc.},
 address = {Boston, MA, USA},
 }


@BOOK{bishop,
   author = "Matt Bishop",
   title= "Computer Security: Art and Science",
   publisher = "Addison Wesley Professional",
   year = 2003
}


@book{stalling,
 author = {Stallings,, William},
 title = {Cryptography and Network Security (4th Edition)},
 year = {2005},
 isbn = {0131873164},
 publisher = {Prentice-Hall, Inc.},
 address = {Upper Saddle River, NJ, USA},
 }
 
 @book{Oppliger,
 author = {Oppliger,, Rolf},
 title = {Security technologies for the World Wide Web},
 year = {2000},
 isbn = {1-58053-045-1},
 publisher = {Artech House, Inc.},
 address = {Norwood, MA, USA},
 }

@inproceedings{shanmugam ,
language = {English},
copyright = {Compilation and indexing terms, Copyright 2008 Elsevier Inc.},
title = {A solution to block cross site scripting vulnerabilities based on service oriented architecture},
journal = {Proceedings - 6th IEEE/ACIS International Conference on Computer and Information Science, ICIS 2007; 1st IEEE/ACIS International Workshop on e-Activity, IWEA 2007},
author = {Shanmugam, Jayamsakthi and Ponnavaikko, M.},
year = {2007},
pages = {861 - 866},
address = {Piscataway, NJ 08855-1331, United States},
abstract = {Research data shows that, about 80% of the web applications are vulnerable to cross site scripting attacks. This is because of the fact that the users are allowed to enter tags in the input control for increasing the flexibility in handling web applications input. This increases the threat to the web application by allowing the hackers to plant worms in the web applications through the features like tags. Further, there are billions of web pages that are developed in different languages like PHP, ASP, JSP, HTML, CGI-PERL, .Net etc. There is no single solution available that can be applied for the web application to prevent XSS that are developed in different languages and deployed in different platforms. This paper presents a new solution to block Cross Site Scripting (XSS) attacks that is independent of the languages in which the web applications are developed and addresses XSS vulnerabilities arise from other interfaces. The solution is modularized, configured, and developed in .Net, XML and XSD. This approach is evaluated in a web application developed in JSP/Servlets deployed in JBOSS application server and is found effective as it provides the flexibility to be used across languages with a very minimal configuration to prevent XSS. &copy; 2007 IEEE.},
key = {World Wide Web},
keywords = {Communication;Computer crime;Cybernetics;Information management;Information science;Information services;Knowledge management;Linguistics;Markup languages;Personal computing;},
note = {WEB applications;Languages (traditional);International (CO);Cross site scripting;international conferences;Cross-site scripting (XSS);Research data;Applied (CO);Application servers;Other interfaces;web pages;Service oriented architecture (SOA);},
URL = {http://dx.doi.org/10.1109/ICIS.2007.45},
} 

@MISC{website:wiki-CIA,
     AUTHOR = "Wikipedia",
     TITLE = "CIA Triad",
     MONTH = "Februari",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://en.wikipedia.org/wiki/CIA_Triad}"
}

@MISC{website:wiki-UDP,
     AUTHOR = "Wikipedia",
     TITLE = "User Datagram Protocol",
     MONTH = "Februari",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://en.wikipedia.org/wiki/User_datagram_protocol}"
}

@MISC{website:wiki-TCP,
     AUTHOR = "Wikipedia",
     TITLE = "Transmission Control Protocol",
     MONTH = "Februari",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://en.wikipedia.org/wiki/Transmission_Control_Protocol}"
}

@MISC{website:wiki-rainbowTables,
     AUTHOR = "Wikipedia",
     TITLE = "Rainbow Table",
     MONTH = "Februari",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://en.wikipedia.org/wiki/Rainbow_table}"
}

@MISC{website:wiki-md5,
     AUTHOR = "Wikipedia",
     TITLE = "MD5",
     MONTH = "Mars",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://en.wikipedia.org/wiki/MD5}"
}

@MISC{website:wiki-smartcard,
     AUTHOR = "Wikipedia",
     TITLE = "Smart card",
     MONTH = "april",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://en.wikipedia.org/wiki/Smart_card}"
}

@misc{website:wiki-fingerprint,
   author = "Wikipedia",
   title = "Fingerprint recognition",
   year = "2009",
   month = "april",
   url = "\url{http://en.wikipedia.org/wiki/Fingerprint_recognition}",
}
 
@misc{website:wiki-voice,
   author = "Wikipedia",
   title = "Speaker recognition",
   year = "2009",
   month = "april",
   url = "\url{http://en.wikipedia.org/wiki/Voice_authentication}",
}

@misc{website:wiki-iris,
   author = "Wikipedia",
   title = "Iris recognition",
   year = "2009",
   month = "april",
   url = "\url{http://en.wikipedia.org/wiki/Iris_recognition}",
}


@misc{website:wiki-retinal,
   author = "Wikipedia",
   title = "Retinal scan",
   year = "2009",
   month = "april",
   url = "\url{http://en.wikipedia.org/wiki/Retina_scan}",
}

@MISC{website:wiki-vbox,
     AUTHOR = "Wikipedia",
     TITLE = "VirtualBox",
     MONTH = "April",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://en.wikipedia.org/wiki/VirtualBox}"
}

@MISC{website:wiki-nessus,
     AUTHOR = "Wikipedia",
     TITLE = "Nessus",
     MONTH = "April",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://en.wikipedia.org/wiki/Nessus_(software)}"
}

@MISC{website:wiki-sha,
     AUTHOR = "Wikipedia",
     TITLE = "SHA hash functions",
     MONTH = "Maj",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://en.wikipedia.org/wiki/SHA_hash_functions}"
}

@MISC{website:wiki-vpc,
     AUTHOR = "Wikipedia",
     TITLE = "Microsoft Virtual PC",
     MONTH = "April",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://en.wikipedia.org/wiki/Microsoft_Virtual_PC}"
}

@MISC{website:VPC-tut,
     AUTHOR = "Dan Goodell",
     TITLE = "Virtual PC Tutorial",
     MONTH = "April",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://www.goodells.net/virtualpc/vhd.htm}"
}

@MISC{website:vbox-puel,
     AUTHOR = "VirtualBox",
     TITLE = "VirtualBox PUEL",
     MONTH = "April",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://www.virtualbox.org/wiki/VirtualBox_PUEL}"
}

@MISC{website:comp-virt,
     AUTHOR = "Wikipedia",
     TITLE = "Comparison of platform virtual machines",
     MONTH = "April",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://en.wikipedia.org/wiki/Comparison_of_platform_virtual_machines}"
}


@MISC{website:vmware-cost,
     AUTHOR = "VMware",
     TITLE = "WMvare Cost savings",
     MONTH = "April",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://www.vmware.com/solutions/cost-savings/}"
}

@MISC{website:kon-vis,
     AUTHOR = "virtualisering.nu",
     TITLE = "Konsolidering eller virtualisering?",
     MONTH = "April",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://www.virtualisering.nu/templates/virtualisering.php?categoryID=126&id=413}"
}

@MISC{website:Webscarab,
     AUTHOR = "OWASP",
     TITLE = "OWASP WebScarab Project",
     MONTH = "April",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project}"
}

@MISC{website:nistsha3,
     AUTHOR = "NIST (National Institute of Standards and Technology)",
     TITLE = "CRYPTOGRAPHIC HASH PROJECT",
     MONTH = "Maj",
     YEAR = 2009,
     HOWPUBLISHED = "\url{http://csrc.nist.gov/groups/ST/hash/index.html}"
}

@MISC{ne,
	AUTHOR = "Nationalencyklopedin",
	MONTH = "Februari",
	YEAR = "2009",
	HOWPUBLISHED = "\url{http://www.ne.se}"
}

@MISC{virtualbox,
	AUTHOR = "VirtualBox",
	MONTH = "April",
	YEAR = "2009",
	HOWPUBLISHED = "\url{http://www.virtualbox.org/}"
}

@MISC{pul,
	AUTHOR = "Datainspektionen",
	MONTH = "Februari",
	YEAR = "2009",
	HOWPUBLISHED = "\url{http://www.datainspektionen.se/lagar-och-regler/personuppgiftslagen/}"
}

@MISC{pul2,
	AUTHOR = "Justitiedepartementet",
	MONTH = "Februari",
	YEAR = "2009",
	HOWPUBLISHED = "\url{http://www.riksdagen.se/webbnav/index.aspx?nid=3911&bet=1998:204}"
}



@UNPUBLISHED{cook,
   author = "Steven Cook",
   title = "A web developers guide to cross-site scripting",
   note = "As part of GIAC practical repository",
   month = Jan,
   year = 2003
  }

@UNPUBLISHED{pettit,
   author = "Steve Pettit",
   title = "Anatomy of a web application",
   note = "White paper",
   month = "July",
   year = 2001
  }
  
@INPROCEEDINGS{halfond06issse,
	author = {William G.J. Halfond and Jeremy Viegas and Alessandro Orso},
	title = {{A Classification of SQL-Injection Attacks and Countermeasures}},
	booktitle = {Proc. of the International Symposium on Secure Software Engineering},
	year = {2006},
	month = {Mars},
} 

@inproceedings{2006279982529 ,
language = {English},
copyright = {Compilation and indexing terms, Copyright 2008 Elsevier Inc.},
title = {Defending against injection attacks through context-sensitive
string evaluation},
journal = {Lecture Notes in Computer Science (including subseries
Lecture Notes in Artificial Intelligence and Lecture Notes in
Bioinformatics)},
author = {Pietraszek, Tadeusz and Berghe, Chris Vanden},
volume = {3858 LNCS},
year = {2006},
pages = {124 - 145},
issn = {03029743},
address = {Seattle, WA, United states},
key = {Computer crime},
keywords = {Computer programming;Error analysis;Metadata;Security of
data;Security systems;Software prototyping;World Wide Web;},
note = {Injection attacks;Internal sensors;Intrusion prevention;Web
applications;},
URL = {http://dx.doi.org/10.1007/11663812_7},
}

@article{2006189859670 ,
language = {English},
copyright = {Compilation and indexing terms, Copyright 2008 Elsevier Inc.},
title = {Web application security - SQL injection attacks},
journal = {Network Security},
author = {Morgan, David},
volume = {2006},
number = {4},
year = {2006},
pages = {4 - 5},
issn = {13534858},
key = {Security of data},
keywords = {Computer applications;Database systems;Vectors;World Wide Web;},
note = {Arbitrary SQL commands;Web applications;},
URL = {http://dx.doi.org/10.1016/S1353-4858(06)70353-1},
}